Vulnerability Details CVE-2014-4802
The Saved Search Admin component in the Process Admin Console in IBM Business Process Manager (BPM) 8.0 through 8.5.5 does not properly restrict task and instance listings in result sets, which allows remote authenticated users to bypass authorization checks and obtain sensitive information by executing a saved search.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 37.5%
CVSS Severity
CVSS v2 Score 4.0
References
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR50984
- http://www-01.ibm.com/support/docview.wss?uid=swg21684771
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95304
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR50984
- http://www-01.ibm.com/support/docview.wss?uid=swg21684771
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95304
Products affected by CVE-2014-4802
-
cpe:2.3:a:ibm:business_process_manager:8.0.0.0
-
cpe:2.3:a:ibm:business_process_manager:8.0.1.0
-
cpe:2.3:a:ibm:business_process_manager:8.0.1.1
-
cpe:2.3:a:ibm:business_process_manager:8.0.1.2
-
cpe:2.3:a:ibm:business_process_manager:8.0.1.3
-
cpe:2.3:a:ibm:business_process_manager:8.5.0.0
-
cpe:2.3:a:ibm:business_process_manager:8.5.0.1
-
cpe:2.3:a:ibm:business_process_manager:8.5.5.0